HabitFlow – AWS 3-Tier Microservices Infrastructure

Overview

HabitFlow is a microservices-based application deployed on AWS using a 3-tier cloud architecture designed with multi-tier network isolation, independent microservice scaling, and centralized DNS and SSL management.

Tier	Layer	Components
Tier 1	Presentation	Frontend EC2 Auto Scaling Group
Tier 2	Application	Auth, Habit, Journal microservices
Tier 3	Data	Amazon RDS PostgreSQL

Architecture Diagram

Networking Layout

Custom VPC CIDR: 10.0.0.0/16

Availability Zone	Subnet Type	CIDR
us-east-1a	Public	10.0.1.0/24
us-east-1a	Private (App)	10.0.2.0/24
us-east-1b	Public	10.0.3.0/24
us-east-1b	Private (App)	10.0.4.0/24

Traffic Flow

Users
  ↓
Route 53
  ↓
AWS WAF
  ↓
External Application Load Balancer (HTTPS :443)
  ↓
Frontend Instances (Public Subnets – Multi-AZ)
  ↓
Internal Application Load Balancer
  ↓  /auth        /habits        /journal
Auth Service   Habit Service  Journal Service
  ↓
Amazon RDS PostgreSQL (via VPC Peering)

Public Layer

External Application Load Balancer

Receives internet traffic on HTTPS port 443
Performs SSL termination (certificate via ACM)
Routes traffic to frontend Auto Scaling Group

Frontend Auto Scaling Group

EC2 instances distributed across both AZs
Receives traffic from External ALB
Forwards API requests to Internal ALB

Bastion Host

Single SSH entry point for administrative access
Only accepts SSH from approved admin IP ranges
Private instances are not directly SSH-accessible

Admin → SSH → Bastion Host → SSH → Private Instances

NAT Gateway

Provides outbound internet access for private instances
Used for OS and package updates only
Single NAT Gateway (cost-optimized)

Application Layer (Private Subnets)

All backend services run in private subnets with no public IPs.

Service	Responsibility	Deployment
Auth Service	Authentication & authorization	Dedicated ASG
Habit Service	Habit management operations	Dedicated ASG
Journal Service	Journal management operations	Dedicated ASG

Internal Application Load Balancer

Routes frontend requests to the appropriate backend service:

/auth     → Auth Service
/habits   → Habit Service
/journal  → Journal Service

Database Layer

Engine: Amazon RDS PostgreSQL
Hosted in: Default VPC
Access: Private only — no public exposure
Connectivity: Custom VPC → VPC Peering → Default VPC → RDS

DNS and SSL

Service	Purpose
Amazon Route 53	Domain resolution → External ALB
AWS Certificate Manager	SSL certificate attached to External ALB

SSL termination occurs at the External ALB. All public traffic uses HTTPS 443.

Security Architecture

AWS WAF

Attached to the External Load Balancer. Protections include:

SQL injection filtering
Cross-site scripting (XSS) protection
Request rate limiting
Malicious request blocking

Network Isolation

Public and private subnets are strictly separated
Backend services have no public IPs
Database is isolated in a separate VPC with peering

Administrative Access

Direct SSH to application instances is blocked. All admin access routes through the Bastion Host.

Scaling Strategy

Each microservice scales independently via its own Auto Scaling Group, preventing a single service failure or traffic spike from impacting the entire platform.

Component	Scaling
Frontend	Independent ASG
Auth Service	Independent ASG
Habit Service	Independent ASG
Journal Service	Independent ASG

High Availability

Mechanism	Benefit
Multi-AZ deployment	Survives single AZ failure
Auto Scaling Groups	Elastic capacity per service
External + Internal ALB	Redundant load distribution
Distributed microservices	No single point of failure

AWS Services Reference

Service	Purpose
VPC	Network isolation
Public Subnets	Internet-facing infrastructure
Private Subnets	Backend workloads
EC2	Compute
Auto Scaling	Elastic capacity
External ALB	Public traffic distribution
Internal ALB	Internal service routing
NAT Gateway	Outbound connectivity for private instances
Bastion Host	Administrative SSH access
Route 53	DNS
ACM	SSL certificate management
WAF	Web application firewall
RDS PostgreSQL	Managed relational database
VPC Peering	Cross-VPC database connectivity
SNS	Notifications and alerts

Key Design Decisions

Backend services remain fully private with no public IPs
Database isolated in Default VPC, connected via VPC Peering
Bastion Host is the sole SSH entry point into the infrastructure
WAF protects all internet-facing traffic before it reaches the ALB
SSL managed centrally through ACM; terminated at the External ALB
Each microservice has its own ASG for independent scaling
Single NAT Gateway deployed for cost optimization